Being the most popular platform for IOT devices, it makes sense to start with the ESP devices when improving security. In his video, [Andreas] starts at the beginning, covering the basics of SSL, before branching out into how to use these embedded systems with secure cloud services, and the memory requirements to do so. [Andreas] has made the code available on GitHub so it can be readily included in your own projects.

Obviously implementing increased security isn’t free; there’s a cost in terms of processing power, memory, and code complexity. However, such steps are crucial if IOT devices are to become trusted in wider society. A malfunctioning tweeting coffee pot is one thing, but being locked out of your house is another one entirely.

“However, such steps are crucial if IOT devices are to become trusted in wider society.”
I’m not sure if I agree. Connection to IoT devices should be encrypted, but why use inefficient http/https instead of some dedicated protocols?

The Web is predominantly REST-based, and using a dedicated/legacy protocol just adds to semantic complexity.

Yes, transport layer security is required. No, that does not imply HTTPS is the solution. You can use a standardised protocol specifically developed in the IETF for constrained IoT devices, called CoAP, which is REST-based, and can run over UDP (and DTLS) or TCP (and TLS).

Most people using the ESPs (or IOT things in general) tend to use MQTT over TLS sockets, the underlying protocol is small and you have better guarantee of delivery. There are a bunch of libraries and functionality provided without jumping through hoops. If you wanted to setup COAP on something like AWS IOT to stream data over DTLS the path for that isn’t exactly clear, and some desired COAP functionality may not even be capable on ESP at the moment (https://github.com/esp8266/Arduino/issues/2932).

1. Door locks – I can now granularly control who has access to my house. I can set up unique passwords for each person, or take data from other sources to allow remote entry.

2. Various sensors – these can gather basic data ranging from temp probes in rooms and refridgerator/freezer, PIR devices for occupancy, door/window open sensors, cameras, and more. These don’t inherently *do* something but provide ‘senses’ to deciding algorithms.

3. Servos and Motors – with mechanical stuffs available, actions can be done on a script or based upon input from sensors.

—
What can you do with these things? I can walk in a room, and the lights gently turn on. There’s a camera doing basic item recognition, and can tell its me, so the lights turn to the colors I like. It sees me with a laptop and then lowers the lights to what I’ve had it before.

I close the laptop, and watch a movie on the tv. I like drinking wine during a movie, so it establishes a connection with a delivery driver for alcohol (legal where I live). 15 minutes later, the delivery driver gets here and I provide ID. It was already paid for.

I start feeling warm, and want the temp to turn down some. So I say “Computer, turn down temperature to 65f”, and it does so. It notes that the front door was open, so temp regulation is not ideal, since it’s a lot colder outside.
—

The problem with IoT like this, is its NOT simple to connect these together for your benefit. Right now, the sensors and actuators are tied to specific devices and to other peoples’ corporate clouds. In effect, *they* control your hardware, not yourself. Look at Nest, Yale locks, Alexa, and plenty others. Your data is whisked away, and you have no understanding or control of what happens.

That’s why I created this: https://hackaday.io/project/12985-multisite-homeofficehackerspace-automation . It uses a cloud, of only your devices. I started from a basis of “My hardware, using protocols I can use, glued together with open source, along with Tor for cloud computing”. The only thing I use that isn’t mine is the internet, and Tor. Everything else is open sourced, down to the gerbers.

Good idea!
There is way too much reliance on “The Cloud”, particularly as the cloud in question belongs to someone else.
I do like the idea of a local cloud, with remote access via an secure VPN or something like that.

I agree with @some guy, most IoT is just a way of generating data to the company (often they give the service free as long as you sign your privacy away).

I don’t want most of my IoT to head out to the internet and back, I want it to stay in my home. Sadly I won’t be generating enough data to use AI/ML to do something useful in my home but I also won’t be marketing chips that the some company owns.

Disabling old versions of TLS does protect you if the hacking tool exploits a vulnerability in an older version of TLS… I get what you’re saying though, and implementation vulnerabilities will always be a thing.

HPKP is good. Perhaps even more importantly, not accepting that all CAs some hooligans at google or mozilla decided to put in your trust store should actually stay there is a good thing.

I didn’t watch the whole video, I’m curious if he mentions the ESP8266 likely lacks enough memory to handle modern day sized asymmetric keys. But yeah, this guy didn’t do much to bring HTTPS to the ESP8226 and ESP32 other than make a video, sort of detracts from the real work work that devs have been doing for over three years now.

Roger, you saw the video. I never said I invented anything. I just wanted to explain https that it can be used by others. My main goal was to still be able to access cloud services when they do no more accept http connections. I had no plans to save the world ,-)

One other thing I’d like to see, data signing. I have a board, an ESP8266 IR transceiver, that signs the data. It adds a small chip (looks like an smt transistor) that you can use to create the signature. It ups the layer of trust a bit further.

While I’d like to think that what I’m sending is of little value to someone else it seems to be enough that big companies want to sell me their IoT cloud service. I’m not really sure what they are doing with the data and that worries me.

That’s sounds great anything that has to do with, making your own things on or about you and what you do keeping it yours am all in and down for it sounds great sounds more then great actually can’t wait to try it out, thanks for the insight and heads up Lt me know when is up and ready shoot it to me if possible, thanks Be Safe and God Bless …… Nathan Trujillo ………